开始之前
您必须承担 root 角色。有关更多信息,请参见在 Oracle Solaris 11.2 中确保用户和进程的安全 中的使用所指定的管理权限。如果执行远程管理,请参见Example 7–1 和在 Oracle Solaris 11.2 中管理安全 Shell 访问 中的如何使用安全 Shell 远程管理 ZFS,了解进行安全的远程登录的说明。
中心系统需要一个允许很宽的 IP 地址范围的策略。随后,IKE 策略中的证书确保进行连接的系统是合法的。
# /etc/inet/ipsecinit.conf on central # Keep everyone out unless they use this IPsec policy: {} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}
DNS 标识中心系统。证书用于验证该系统。
## /etc/inet/ike/ike.config on central # Global parameters # # Find CRLs by URI, URL, or LDAP # Use CRL from organization's URI use_http # # Use web proxy proxy "http://somecache.domain:port/" # # Use LDAP server ldap_server "ldap-server1.domain.org,ldap2.domain.org:port" # # List CA-signed certificates cert_root "C=US, O=Domain Org, CN=Domain STATE" # # List self-signed certificates - trust server and enumerated others #cert_trust "DNS=central.domain.org" #cert_trust "DNS=mobile.domain.org" #cert_trust "DN=CN=Domain Org STATE (CLASS), O=Domain Org #cert_trust "email=root@central.domain.org" #cert_trust "email=user1@mobile.domain.org" # # Rule for mobile systems with certificate { label "Mobile systems with certificate" local_id_type DNS # CA's public certificate ensures trust, # so allow any remote_id and any remote IP address. remote_id "" remote_addr 0.0.0.0/0 p2_pfs 5 p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 } }
/etc/hosts 文件不需要移动系统的地址,但是可以提供一个地址。该文件必须包含中心系统 central 的公共 IP 地址。
# /etc/hosts on mobile central 192.xxx.xxx.x
移动系统需要按照中心系统的公共 IP 地址来查找中心系统。这些系统必须配置相同的 IPsec 策略。
# /etc/inet/ipsecinit.conf on mobile # Find central {raddr 192.xxx.xxx.x} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}
标识符不能是 IP 地址。以下标识符对移动系统有效:
DN=ldap-directory-name
DNS=domain-name-server-address
email=email-address
证书用于验证移动系统 mobile。
## /etc/inet/ike/ike.config on mobile # Global parameters # # Find CRLs by URI, URL, or LDAP # Use CRL from organization's URI use_http # # Use web proxy proxy "http://somecache.domain:port/" # # Use LDAP server ldap_server "ldap-server1.domain.org,ldap2.domain.org:port" # # List CA-signed certificates cert_root "C=US, O=Domain Org, CN=Domain STATE" # # Self-signed certificates - trust me and enumerated others #cert_trust "DNS=mobile.domain.org" #cert_trust "DNS=central.domain.org" #cert_trust "DN=CN=Domain Org STATE (CLASS), O=Domain Org #cert_trust "email=user1@domain.org" #cert_trust "email=root@central.domain.org" # # Rule for off-site systems with root certificate { label "Off-site mobile with certificate" local_id_type DNS # NAT-T can translate local_addr into any public IP address # central knows me by my DNS local_id "mobile.domain.org" local_addr 0.0.0.0/0 # Find central and trust the root certificate remote_id "central.domain.org" remote_addr 192.xxx.xxx.x p2_pfs 5 p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 } }
# svcadm enable svc:/network/ipsec/ike:default
IKE 可以从 NAT 盒 (NAT box) 之后启动协商。但是,IKE 的理想设置是在 NAT 盒 (NAT box) 没有介入的情况下进行的。在以下示例中,CA 的公共证书放置在移动系统和中心系统上。中心系统接受来自 NAT 盒 (NAT box) 之后的系统的 IPsec 协商。main1 是可以接受来自站点外系统的连接的公司系统。有关如何设置站点外系统,请参见Example 10–5。
## /etc/hosts on main1 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on main1 # Keep everyone out unless they use this IPsec policy: {} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}
## /etc/inet/ike/ike.config on main1 # Global parameters # # Find CRLs by URI, URL, or LDAP # Use CRL from organization's URI use_http # # Use web proxy proxy "http://cache1.domain.org:8080/" # # Use LDAP server ldap_server "ldap1.domain.org,ldap2.domain.org:389" # # List CA-signed certificate cert_root "C=US, O=ExampleCA Inc, OU=CA-Example, CN=Example CA" # # Rule for off-site systems with root certificate { label "Off-site system with root certificate" local_id_type DNS local_id "main1.domain.org" local_addr 192.168.0.100 # CA's public certificate ensures trust, # so allow any remote_id and any remote IP address. remote_id "" remote_addr 0.0.0.0/0 p2_pfs 5 p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256} p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256} p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256} p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256} }示例 10-5 使用 IPsec 和 IKEv1 配置 NAT 之后的系统
在以下示例中,CA 的公共证书放置在移动系统和中心系统上。mobile1 将从本部连接到公司总部。Internet 服务提供商 (Internet service provider, ISP) 网络使用 NAT 盒 (NAT box) ,以允许 ISP 为 mobile1 指定专用地址。然后,NAT 盒 (NAT box) 将专用地址转换为与其他 ISP 网络节点共享的公共 IP 地址。公司总部不在 NAT 之后。有关如何在公司总部设置计算机,请参见Example 10–4。
## /etc/hosts on mobile1 mobile1 10.1.3.3 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on mobile1 # Find main1 {raddr 192.168.0.100} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}
## /etc/inet/ike/ike.config on mobile1 # Global parameters # # Find CRLs by URI, URL, or LDAP # Use CRL from organization's URI use_http # # Use web proxy proxy "http://cache1.domain.org:8080/" # # Use LDAP server ldap_server "ldap1.domain.org,ldap2.domain.org:389" # # List CA-signed certificate cert_root "C=US, O=ExampleCA Inc, OU=CA-Example, CN=Example CA" # # Rule for off-site systems with root certificate { label "Off-site mobile1 with root certificate" local_id_type DNS local_id "mobile1.domain.org" local_addr 0.0.0.0/0 # Find main1 and trust the root certificate remote_id "main1.domain.org" remote_addr 192.168.0.100 p2_pfs 5 p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 } }示例 10-6 接受来自移动系统的自签名证书
在以下示例中,自签名证书已经颁发,并存放在移动系统和中心系统上。main1 是可以接受来自站点外系统的连接的公司系统。有关如何设置站点外系统,请参见Example 10–7。
## /etc/hosts on main1 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on main1 # Keep everyone out unless they use this IPsec policy: {} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}
## /etc/inet/ike/ike.config on main1 # Global parameters # # Self-signed certificates - trust me and enumerated others cert_trust "DNS=main1.domain.org" cert_trust "jdoe@domain.org" cert_trust "user2@domain.org" cert_trust "user3@domain.org" # # Rule for off-site systems with trusted certificate { label "Off-site systems with trusted certificates" local_id_type DNS local_id "main1.domain.org" local_addr 192.168.0.100 # Trust the self-signed certificates # so allow any remote_id and any remote IP address. remote_id "" remote_addr 0.0.0.0/0 p2_pfs 5 p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 } }示例 10-7 使用自签名证书联系中心系统
在以下示例中,mobile1 将从本部连接到公司总部。证书已经颁发,并放置在移动系统和中心系统上。ISP 网络使用 NAT 盒 (NAT box) ,以允许 ISP 为 mobile1 指定专用地址。然后,NAT 盒 (NAT box) 将专用地址转换为与其他 ISP 网络节点共享的公共 IP 地址。公司总部不在 NAT 之后。有关如何在公司总部设置计算机,请参见Example 10–6。
## /etc/hosts on mobile1 mobile1 10.1.3.3 main1 192.168.0.100
## /etc/inet/ipsecinit.conf on mobile1 # Find main1 {raddr 192.168.0.100} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}
## /etc/inet/ike/ike.config on mobile1 # Global parameters # Self-signed certificates - trust me and the central system cert_trust "jdoe@domain.org" cert_trust "DNS=main1.domain.org" # # Rule for off-site systems with trusted certificate { label "Off-site mobile1 with trusted certificate" local_id_type email local_id "jdoe@domain.org" local_addr 0.0.0.0/0 # Find main1 and trust the certificate remote_id "main1.domain.org" remote_addr 192.168.0.100 p2_pfs 5 p1_xform {auth_method rsa_sig oakley_group 5 encr_alg aes auth_alg sha256 } }
接下来的步骤
如果建立 IPsec 策略未完成,请返回到 IPsec 过程以启用或刷新 IPsec 策略。有关保护 VPN 的 IPsec 策略的示例,请参见使用 IPsec 保护 VPN。有关 IPsec 策略的其他示例,请参见如何使用 IPsec 保护两台服务器之间的网络通信。